Cryptographers are sounding the alarm on a major security issue involving Microsoft Windows that could eclipse its Hotmail public relations disaster.
The findings of a computer security expert that America's National Security Agency (NSA) may have been given a back door into every copy of Windows 95, 98, NT4 and 2000 worldwide are being debated across the Internet.
Microsoft has issued a strong denial of allegations of misuse of a second encryption "key" in Windows.
"These are just used to ensure that we're compliant with US export regulations," said Scott Culp, Microsoft's security manager for its Windows NT Server software.
"We have not shared the private keys. We do not share our keys."
But cryptographers in the UK described the implications of the findings as "immense". Windows is installed on more than 90% of the world's computers.
Second key for Windows
Andrew Fernandes, Chief Scientist at the Ontario-based Cryptonym Corporation, is credited with discovering the identity of a second key used by Windows for encryption purposes.
Caspar Bowden, director of London-based Internet think-tank FIPR, said: "The allegation is that every copy of Windows contains an extra 'magic number' which would permit it to work with encryption modules designed by the US National Security Agency, as well as those approved by Microsoft."
The approval mechanism was introduced to ensure that the weak encryption in non-US versions of Windows could not be replaced with stronger software without it being checked against a "key" embedded in Windows, proving that it had been digitally signed off by Microsoft.
Two years ago, cryptographers found an alternative, and apparently superfluous, second embedded key. The new details came to light through debugging information erroneously left in the latest service pack for Windows NT.
Significantly, the key has the data tag "_NSAKEY" giving rise to speculation that the NSA persuaded Microsoft to give it special access to Windows in a secret deal.
Microsoft says it called its function an "NSA key" because the body reviews technical details for the export of data-scrambling software.
MS talked with NSA
It is known that Microsoft negotiated with the NSA on including encryption in its product. The export of strong encryption is banned by the Clinton administration, which fears terrorists and other criminals could turn it against the US.
There are two theories on why this unnecessary second key is included in Windows:
"The innocent explanation is that the US wished to create bespoke encryption modules for official use on government systems without reference to Microsoft," said Mr Bowden.
"Ironically, introducing the second key has created a major security loophole in a mechanism which was designed to enforce US export controls on strong cryptography."
Microsoft suffered serious embarrassment on Monday when hackers exposed a simple way of breaking into the mailboxes of more than 40 million users of its Hotmail e-mail service.
Hackers hit Hotmail
(31 Aug 99 | Sci/Tech)
Cryptonym findings
Key illustration
Slashdot discussion
FIPR
Microsoft Windows
The BBC is not responsible for the content of external internet sites.
World's smallest transistor
Scientists join forces to study Arctic ozone
Mathematicians crack big puzzle
The growing threat of internet fraud
(From Business)
Who watches the pilots?
Cold 'cure' comes one step closer
(From Health)